The Windows print nightmare proceeds for the organization

All right, Microsoft, we require to communicate. Or alternatively, we will need to print. We truly do. We are not all paperless out below in the small business world — a lot of of us still need to have to simply click the Print button inside of our company programs and print items out on an genuine sheet of paper, or ship anything to a PDF printer. But around the final many months you’ve created it close to extremely hard to remain fully patched and continue to keep printing.

Circumstance in point: the August stability updates.

Microsoft designed a adjust in how Group Plan printers are dealt with when it modified the default Stage and Print behavior to tackle “PrintNightmare” vulnerabilities influencing the Windows Print Spooler assistance. As noted in KB5005652, “by default, non-administrator people will no lengthier be ready to do the adhering to applying Place and Print devoid of an elevation of privilege to administrator:

  • Put in new printers employing motorists on a distant computer system or server
  • Update present printer drivers applying motorists from distant pc or server”
windows printer driver install notice IDG

Having said that, what we’re observing more than on the PatchManagement.org listing is that anyone with a V3 type of print driver is getting their users be prompted to reinstall motorists or put in new motorists. More specifically, when the print server is on a Server 2016 server, the printers are pushed out through Team Plan, and the printer driver from the vendor is a V3 driver, it is triggering the reinstallation of print motorists. We’re also seeing that when the patch is on the workstation and not on the server, it is triggering a reinstallation of the print drivers.

Given that corporations are very likely to maintain end users with no administrator rights to limit lateral motion (and rather frankly because Microsoft has told us around the many years that operating with administrator legal rights was a negative factor), we’re now obtaining to come to a decision to give buyers community administrator rights, make a registry critical adjustment that weakens protection, or roll back the patch right up until Microsoft figures out what went wrong.

These who do want to make the registry change can open up a Command Prompt window with elevated permissions and enter the following:

reg incorporate "HKEY_Community_MACHINESoftwarePoliciesMicrosoftWindows NTPrintersPointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d /f

But carrying out so exposes you to publicly acknowledged vulnerabilities, and neither Microsoft nor I advocate it.

Receiving to the heart of the print challenge

Microsoft has privately acknowledged in a guidance circumstance that “the admin/install prompt for already-put in motorists and by now-mounted printers is surprising actions.” It went on to say, “We have obtained new studies that this is also affecting prospects where the drivers/printers, and so forth. are currently installed and it is now beneath investigation, we do not have an estimated time of deal with yet, but we are operating on it.” But when the company may be privately acknowledging that there is a difficulty with printing, it is not showcasing it on the Windows health and fitness launch dashboard.

Anthony J. Fontanez has blogged listed here and here with some good discussion of what is heading on. As he details out, a person of the remedies is to ensure you have V4 printer drivers deployed in your network. But therein lies a difficulty — it is frequently particularly really hard to determine if drivers are V3 or V4. In the scenario of Hewlett Packard printers, PCL 6 denotes V3, whilst PCL-6 (notice the hyphen) denotes V4. You may well have to deploy the motorists on a examination digital equipment in order to decide just what printer driver you have.

If your printer vendor doesn’t have a V4 edition of the printer driver, make sure that you access out to your vendor — specially if they are less than energetic leases — and demand from customers that they arrive out with a revised driver. As Fontanez wrote, “V4 motorists use a model-particular driver on the print server aspect. When clients hook up to a printer on a server employing a V4 driver, they do not obtain any driver. In its place they use a generic preloaded driver named ‘Microsoft enhanced Point and Print.’” Nonetheless, some network admins have indicated that the V4 drivers aren’t the solution either.

But even if you could get the August updates set up in your community, that does not suggest you are entirely protected from print spooler vulnerabilities. There is nonetheless an additional CVE (CVE-2021-36958) for which we have no patch, and the only workaround is to disable the print spooler. All we officially know at this time is that “A remote code execution vulnerability exists when the Home windows Print Spooler services improperly performs privileged file operations. An attacker who correctly exploited this vulnerability could operate arbitrary code with Procedure privileges. An attacker could then put in courses view, change, or delete knowledge or develop new accounts with whole person rights.  The workaround for this vulnerability is halting and disabling the Print Spooler company.”

If you are a purchaser, the challenge is not quite as bleak. I’ve nonetheless to see a residence or purchaser consumer have difficulties with printing or scanning immediately after the August updates were mounted. That stated, we are still susceptible to the unpatched CVE-2021-36958. If you already have the August updates mounted and you are not possessing any aspect outcomes with printing or scanning, leave the August security updates mounted.

So what can you do at this time if you run a enterprise and you have to print?

  • Evaluation what servers and personal computers certainly have to print. Plainly the foundational stability issues with the print server code have nevertheless to be fixed, and it does not surface they will be fastened soon.
  • Look at printing a precise proper that you grant only to those people in your community who really want that right, in its place of acquiring the print spooler provider instantly enabled in the course of your community.
  • Disable the service on all area controllers and keep it that way right up until further more see.
  • Limit the servers in your network that have print server roles.
  • Attempt to limit the servers as finest as you can so you can keep track of and limit targeted visitors to these equipment.
  • Disable the print server purpose on workstations unless of course they have to print.
  • Reevaluate your workflow and procedures and see if there are strategies to shift these kinds of organization flows to world-wide-web-primarily based procedures or anything that won’t depend on paper, toner, and printers.

A last phrase to Microsoft

Microsoft, you need to have to do better than you are performing now. Simply because we do nonetheless print. And more than the last yr you have broken printing far too numerous moments. I notice that you might be paperless and shifting to digital everything, but be a bit a lot more conscious that your business buyers aren’t rather there yet.

Your prospects should not have to make the agonizing selection to eliminate the update in purchase to purpose in their enterprise, or even worse but have to conduct a registry tweak, which lets the enterprise to print but exposes the business to vulnerabilities as a end result.

I’ve been patching methods for much more than 20 years, and if the very best issue we can inform a business enterprise at this time is to “uninstall the update in purchase to proceed to be in enterprise,” we have not fixed a point in 20 yrs of updating. Companies nonetheless can not promptly patch like you urge us to do. We however have to wait to see if there are aspect consequences and offer with the right after effects.

So, Microsoft? If you want us to straight away patch, you have to have to understand that lots of of us still need to have to print.

Copyright © 2021 IDG Communications, Inc.